Dropbox for Business security explained: is it enterprise ready?

In less than a decade, Dropbox has made the journey from being just the best known brand of a wave of cloud consumer file storage firms to a plausible enterprise business service. It's still rare for startups to race so dramatically from pure consumer to high end without losing something in the process but today the firm remains a curious mixture of both often very different sectors under one banner.

The company launched Dropbox for Business in 2013 (more a relaunch of Dropbox for Teams which appeared in 2011), followed in 2015 by the ambitious Dropbox for Enterprise, both attempts to chase a market offering big margins but difficult sales calls. The firm's own figures claim that among its 500 million accounts, it is used by 8 million businesses worldwide, 150,000 of which have subscribed to Dropbox Business. More generally, one in three UK Internet users use Dropbox and around three quarters of the firm's customers are non-US.

"There is a perception that we're a consumer company and not an enterprise one," Dropbox's EMEA head of trust Mark Crosbie told Computerworld UK. Judging from the new Enterprise service, that is now a pretty misleading view. Somehow, on the quiet, Dropbox has turned into a business service.

As to the view that it competes with old-style USB sticks, Crosbie raises the obvious point that USB sticks are simply a way to carry around files, lacking collaboration, synchronisation and external sharing.

"As you start to scale and have bigger forms of collaboration all of a sudden that solution doesn't scale and the overall security posture starts to fail."

What do businesses use Dropbox for?

At the simplest end of the scale, file and data storage, large file exchange, synching across desktop and mobile devices, work collaboration. At the other end, deeper integration with systems such as Office 365 and the extension of all of file access to external collaborators with compliant admin and data security. In many cases, Dropbox-like services are simply a more secure and practical solution to running a file server or handing out USB sticks and also come with the added benefit of automatic and continues file backup that can be restored by the employee rather than the IT team.

Rivals might point out that such features are not unique to Dropbox although the latter does claim extremely high availability and synching performance as a selling point.

Who uses Dropbox Business? Sectors where it has gained a particular following include media agencies, advertising, manufacturing (blueprints), and architectural firms. There are also sector-specific packages such as Dropbox for Education. Collaboration is a big driver. "That tends to be the beachhead for Dropbox," admits Crosbie.

Dropbox Enterprise v Business

The two are essentially identical, offering similar user account space, admin and collaboration tools, integration with third-parties via Dropbox's Business API, and even user migration (see below). Enterprise extends the analytics possible on usage and collaboration as well as being designed to manage much larger teams. Dropbox Business has three tiers: Basic, Pro and full-blown Business, with the first two imposing a limit on file recovery of 30 days.

Datacentres: With the ending of the Safe Harbour Agreement covering data transfers between the US and Europe and ongoing uncertainty over its replacement, the EU-US Privacy Shield, Dropbox announced plans to host customer data within a new datacentre in Germany by Q3 2016 running on Amazon Web Services (AWS). This aspect of the service is still clearly being developed. Compliance: HIPAA, ISO 27001, ISO 27018, and SOC 1, 2, and 3.

Dropbox - migrating 'shadow' accounts

A concern when adopting Dropbox is that some employees might already have been using the service on a shadow IT basis to store business files, precisely the sort of security risk that prompts enterprises to adopt an in-house deployment in the first place. The first task, then, is to identify these accounts, in theory not an easy task. However, Dropbox Business/Enterprise offer capture tools to identify existing accounts and move them within the admin space of Business or Enterprise as well as the ability to import them from Active Directory, LDAP or third-party identity providers.

In BYOD environments, users can use both personal and work accounts from the same device with full data separation. Access to personal accounts from work systems is enabled by the admin.

Dropbox - authentication and SSO

As with most big-brand services, authentication support offers two-step verification which receives PIN codes either via SMS texts message or using a mobile app or, alternatively, through Single Sign-on and an identity provider: Google Apps, Auth0, Ping Identity, OneLogin, Symantec Identity: Access Manager, Salesforce and a defined list of providers work out of the box. Using SSO obviously requires new users to be registered with those services first. Two-step verification would suit smaller Business users while SSO will be the preferred option for Enterprise because it allows more complex authentication options to be set.

Dropbox - data control

Admins can enable file sharing for external users through a link with edit or read-only access as appropriate. Passwords can also be set with expiration dates for files while access can be revoked on an individual or team basis. Unlimited previous versions of files can be retrieved.

Dropbox - data encryption

A vexed issue with cloud storage providers. Files are transferred across SSL/TLS encryption and stored at rest using 256-bit AES in 4MB chunks. As with every cloud service, this sort of default security allows employees to gain access to the data under defined circumstances or if requested to though a signed warrant. From 2016, UK data will be held inside a European datacentre.

According to Dropbox, this arrangement is fine even for large enterprises for about 80 percent of data, with about 20 percent requiring the enterprise to retain encryption keys for the sake of compliance. The challenges of this are twofold - key management and the task of identifying which data is critical. Enterprises must embrace device encryption to secure synched or shared data -individual devices can be 'linked' to or unlinked from accounts with a remote wipe facility if they are lost.

Dropbox - third-party integration

A major strength of Dropbox Enterprise going forward is the ability to add additional security layers through the Dropbox Business API. Popular sectors mentioned by Dropbox in the service's official security guide in addition to SSO include SIEM, Data Loss Prevention (DLP), eDiscovery, Digital Rights Management, migration and dedicated backup, and custom workflow management.

Conclusion:

Dropbox has not been immune from security scares, including a small breach in 2012 and a more contentious one in 2014 in which hackers appear to have reused passwords from other sites to target weakly-secured consumer accounts. But its Business and Enterprise services have evolved into offerings that go far beyond the humble file storage game where the firm started.There is some way to go.

The Enterprise service is still in its infancy and the migration from serving general business needs at a departmental level to being something developers embrace presents a big challenge. The advantage of Enterprise v Business is still not sharply defined enough. Competition is also incredibly tough, not least because platform vendors such as Microsoft and Google also have file storage and collaboration systems of their own before you even get to rivals such as Box. It remains a consumer file storage and sharing service but it is the Business and Enterprise services that will decide its future success.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.